Non-Empty Stateless Network Firewall Rule Groups Should Not Be Present
More Info:
This rule checks if a stateless Network Firewall Rule Group contains rules. It ensures that there are rules defined in the stateless Network Firewall Rule Group. The rule is marked as non-compliant if there are no rules in the stateless Network Firewall Rule Group.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the non-empty stateless network firewall rule groups in AWS EC2 using AWS console, follow these steps:
- Open the Amazon VPC Console: Go to the AWS Management Console, navigate to the VPC service.
- Navigate to Security Groups: In the VPC dashboard, click on “Security Groups” in the left-hand menu.
- Identify the Security Group: Identify the security group that has non-empty stateless network firewall rule groups. You can check the rules defined in each security group to find the non-empty ones.
- Edit the Security Group: Select the security group that needs to be remediated and click on the “Inbound Rules” or “Outbound Rules” tab, depending on where the non-empty rule group is present.
- Remove Non-Empty Stateless Rules: Look for any rules that are not required or are unnecessarily broad. To remove a rule, select it and click on the “Delete” or “Remove” button.
- Add Necessary Rules: If any necessary rules were inadvertently removed, add them back in a way that follows the principle of least privilege. Click on the “Add Rule” button to define a new rule.
- Review and Save Changes: Once you have removed the non-empty stateless rules and added any necessary rules, review the changes to ensure they align with your security requirements. Click on the “Save” or “Apply” button to apply the changes.
- Verify the Security Group: After saving the changes, verify that the security group no longer contains any non-empty stateless network firewall rule groups.
Using CLI
Using CLI
To remediate the issue of having non-empty stateless network firewall rule groups in AWS EC2 using AWS CLI, follow these steps:Replace
- List all the security groups in your AWS account using the following AWS CLI command:
-
Identify the security group that has non-empty stateless network firewall rule groups. Look for the security group with the
IpPermissionsattribute that contains rules. - Note down the Group ID of the security group that needs to be remediated.
- Remove all the inbound and outbound rules from the identified security group using the following AWS CLI command:
YOUR_SECURITY_GROUP_ID with the actual Group ID of the identified security group.- Verify that the security group no longer has any inbound or outbound rules by describing the security group using the following AWS CLI command:
- Once you have confirmed that the security group is now empty, you have successfully remediated the issue of having non-empty stateless network firewall rule groups in AWS EC2.
Using Python
Using Python
To remediate the misconfiguration of having non-empty stateless network firewall rule groups in AWS EC2 using Python, you can follow these steps:
- Use the AWS SDK for Python (Boto3) to interact with the AWS EC2 service.
- List all the security groups associated with your EC2 instances.
- For each security group, check if there are any stateless network firewall rule groups that are not empty.
- If you find any non-empty stateless network firewall rule groups, remove the rules from the security group.
- Here is a sample Python code snippet that demonstrates how to achieve this:
-
Make sure to replace the placeholder values like
YourRegionandYourProfilewith your actual AWS region and profile name in the code snippet. - Run the Python script to remediate the non-empty stateless network firewall rule groups in your AWS EC2 security groups.